Practical Software Supply Chain Assurance

The Cryptographically Secure, Automatic Assurance Software Development Environment (CSAADE) framework provides evidence-based evaluation to detect vulnerabilities and cyber attacks impacting the software supply chain ^[1]. CSAADE automatically generates and collects evidence of the software product, its components, and the host development environment throughout the software pipeline. It implements a software chain-of-custody to protect the collected evidence and provide a cryptographic linkage between evidence and software products. This evidence forms the basis for a logical software assurance score that can be used by stakeholders and software consumers to make risk-informed decisions regarding the security posture of the final software product and the supply chain as a whole. Early proof-of-concept results demonstrated that the CSAADE methodology is effective in detecting and mitigating sophisticated malicious activities within the supply chain ^[1], such as the SolarWinds attack ^[2]. 

We present Modular CSAADE with a new modular architecture and additional analysis capabilities to simplify integration and configuration of the CSAADE framework, and improve automation and usability of the original proof-of-concept. Modular CSAADE permits the construction of dedicated CSAADE modules with pre-configured settings that layer target-specific security features on top of a core CSAADE capability. It also implements a flexible template-based approach that takes structured inputs from the developers and uses pre-defined templates to automatically mirror an existing software pipeline (e.g., install required dependencies, run build commands) and define CSAADE configurations (e.g., specific pipeline steps targeted by CSAADE, types of threats considered). 

The benefits of this new CSAADE architecture are two-fold. First, it permits tailoring the CSAADE security implementation to specific threats impacting the supply chain. Second, Modular CSAADE is mostly automated, taking the configuration and deployment burden off the software developers’ shoulders. Ultimately, Modular CSAADE may enable a novel supply chain security as a service approach that facilitates adapting the CSAADE capabilities to specific software programming languages, existing software development pipelines, and development environments. 

We share our experiences from a pilot implementation of the Modular CSAADE on a real, active mid-sized software development pipeline. We identify specific benefits, gaps, and technical challenges moving forward. The pilot results demonstrate the contributions of Modular CSAADE, showing that it is easy to configure, deploy, and use. Through extensive automation, it minimizes the amount of input information and time required from the developers to adapt the CSAADE analysis to existing software pipelines. 

References 

[1] Babun, L., CSAADE: Cryptographically Secure, Automatic Assurance Software Development Environment, High Confidence Software and Systems (HCSS) Conference Series, 2022. 

[2] Cybersecurity & Infrastructure Security Agency, Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA), January 2021, [Online]: https://www.cisa.gov/news-events/news/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure

Dr. Leo Babun is a member of the Senior Professional Staff at JHU/APL. He has more than 16 years of experience in research, system engineering, and cybersecurity. Leo serves as a Subject Matter Expert (SME) for defensive cyber programs within JHU/APL. His recent research focuses include software supply chain security, trusted computing, system security engineering, Delay-Tolerant Networks, and the Internet of Things (IoT).